David Gardiner - Security

Someone has created a Facebook profile using your name and photo

2017-04-16T17:34:00.001+09:30

One in a series of posts on Facebook Security and Privacy

First off, don’t panic! Unless you have a really poor password, it’s unlikely that you have been hacked. Instead an annoying person has just created a new Facebook account, copied your profile picture and name, and is presumably now going through your friend list asking to become friends, and confusing all your friends who thought you were already their friend.

What can you do?

Use the Facebook “Report” function to ask Facebook to delete the fake account.

Open the fake profile page (Just click on the name)
Click on the ‘…’ button (to the right of the Message button), then click Report.
Select Report this profile and click Continue
Select They're pretending to be me or someone I know and click Continue
Select Me and click Continue
Select Submit to Facebook for Review
Usually within a matter of hours, someone at Facebook will review the details and shut down the offending account.

How can you reduce the risk of this happening?

Review your Facebook privacy and sharing settings to stop non-friends from seeing your friends list and your profile photo.

Enable Two Factor Authentication to reduce the risk of your actual Facebook account being really compromised.

Setting your Facebook privacy and sharing

2017-04-16T15:54:00.000+09:30

One in a series of posts on Facebook Security and Privacy

If you use Facebook, you should take the time to review your privacy settings and be deliberate about what details you share with the public (as distinct from just your friends). Setting this appropriately can help prevent annoying people from creating fake Facebook accounts that have the same profile photo and name as you, and that then try to trick all your Facebook contacts into become friends with them.

There’s no one answer to setting privacy settings. Some people might be quite happy to share everything with everyone whereas others will prefer to keep things strictly between friends. The important thing is that you understand and are comfortable with what you’re sharing to whom.

To review your general privacy settings

Click on the drop-down menu on the top right in Facebook in your web browser
Click Settings
On the left, click Privacy
Review the settings and change to your preference if necessary.

To restrict who can see your profile picture

Go to your Facebook profile (click on your name in the top menu bar in Facebook in your web browser)
Click on your profile photo
To the right of the photo, click on the icon next to the date
Review the current setting and change to your preference if necessary. Choosing a non-public option will reduce the risk of someone copying your profile photo. On the other hand it will make it harder for potential friends to find you.

To restrict who can see your friends

Go to your Facebook profile
Click on Friends
Click on the ‘Pencil’ icon (Manage)
Click Edit Privacy
Review the current settings. Choosing a non-public option will reduce the risk of someone pretending to be you trying to contact all your friends.

Don’t just accept the defaults, be deliberate and intentional about exactly how much and to who you are sharing your Facebook information with.

Securing your Facebook account with Two Factor authentication

2017-04-16T15:52:00.000+09:30

One in a series of posts on Facebook Security and Privacy

You should consider enabling Two Factor Authentication (often shortened to 2FA) for logging in to Facebook. This means in addition to having a unique password for Facebook (that you don’t use for any other online services), you also have to enter a (usually) 6 digit code (or receive a SMS text message) to confirm that it really is you signing in.

The two factors in “two factor” are 1) your password and 2) the 6 digit code.

The clever thing is that the 6 digit code changes every 30 seconds, so it’s no good writing it down as it will be out of date very quickly.

If you have a smart phone or tablet

Install an authenticator app on your device. I recommend (and use) the Microsoft Authenticator app (which is available for iOS, Android and Windows Phone), but there’s other options including Google Authenticator and Authy.
Open Facebook in your web browser (preferably on a different device to your smartphone)
Go to Settings, then Security and then Login Approvals
In the Code Generator section, click on third-party app.
A QR Code (like a barcode) appears.
On your smartphone, open the Microsoft Authenticator app
Click on ‘+’ to add a new account
Choose Other
Hold your smartphone in front of your computer’s web browser so that the phone’s camera can scan the QR Code.
It should automatically scan the code and add a new account entry for Facebook. eg.
Note the 6 digit number now being displayed on your phone.
Also notice there’s a countdown timer displayed next to this number. When this timer reaches zero, the number will expire and a new number will be displayed.
Switch back to your web browser and enter this number in the confirmation field and press Confirm
Click Enable to allow Login Approvals.
Click on Get Codes
Enter your password
Print out these codes and keep them in a safe place. You can use these codes as a last resort if you lose access to the Authenticator app (eg. your phone drops in the toilet)
It is also a good idea to provide your mobile phone number as a fall back in case you lose access to the Authenticator app (eg. you accidentally deleted it).

From now on, each time you log in to Facebook from a new device you will need to provide the current 6 digits from the Authenticator app as additional proof of identity. If you use some devices regularly, you can then choose not to require two factor authentication in the future.

If you use the Facebook App on your device, that can also function as an authenticator app. The downside to using this is that it only works for Facebook, whereas an app like Microsoft Authenticator can work with many online services.

These include Amazon, Dropbox, Facebook, GitHub, Google accounts, Microsoft Accounts, Mailchimp, Twitter and others. Always choose to enable 2FA for any online services you use. Many banks and financial institutions are also using similar systems.

If you have a mobile phone

Open Facebook in your web browser (preferably on a different device to your smartphone)
Go to Settings, then Security and then Login Approvals
In the Text message (SMS) section, if there is no number listed click on Add phone number
Follow through confirming the phone number

From now on, when you log in to Facebook you’ll receive a SMS text message with a code. You’ll then need to provide that code in addition to your password. If you use a device regularly, you can tell Facebook not to prompt for 2FA again.

Using 2FA with text messages is much better than not using 2FA at all, but it isn’t quite as secure as using an authenticator app. If you can’t use an app then do enable 2FA using SMS. Some services even support non-mobile numbers by reading out the code instead of as a text message.

You just received a friend request on Facebook from someone who’s already a friend

2017-04-16T15:51:00.000+09:30

One in a series of posts on Facebook Security and Privacy

First off, don’t panic! Almost certainly your friend has not “been hacked”. Instead an annoying person has just created a new Facebook account and copied your friend’s profile picture and name, and is presumably now going through their friend list asking to become friends.

What can you do?

Use the Facebook “Report” function to let your friend know.

Open the fake profile page (Just click on the name. Don’t click on Confirm Request!)
Click on the ‘…’ button (to the right of the Message button), then click Report.
Select Report this profile and click Continue
Select They're pretending to be me or someone I know and click Continue
Select Someone I know and click Continue
Select Message your friend
Type in your friend’s name. Your friend’s existing Facebook profile should be listed.
Click Send.
You friend will receive a Facebook message with a link to the offending profile and they can follow it up by reporting it to Facebook.

If you’re particularly concerned, at step 6 you can also choose Submit to Facebook for Review. You will then be asked to select your friend’s real Facebook profile and send it off to Facebook.

Facebook security and privacy

2017-04-16T15:49:00.001+09:30

I’ve had a number of friends on Facebook suffer the annoyance of having ‘fake’ accounts using the same name and profile picture to impersonate them and contacting all their friends asking to be friends.

It’s frustrating and annoying for everyone concerned. The victim who is being impersonated often also wonders if their Facebook account “has been hacked!”. Usually this is not the case, but I thought it would be helpful to write down some suggestions to help reduce the risk and help you feel more safe using Facebook.

Topics in this series:

Let me know in the comments if there’s anything else I should cover.

Automated ATO scam phone calls

2015-09-30T21:14:00.001+09:30

Yesterday and today I received some unusual calls on my mobile phone. They were both using computerised voices and claimed to be related to some legal action related to the “ATO” (presumably the Australian Tax Office). Yesterday’s call was supposedly from an “Agent John Smith”. Pretty sure the computer voice said “A-Toe”, rather than “A-T-O” too.

The calling numbers (and also the number they suggested I call them back on in the message) were:

0261004343
0261003101

The second number called twice as I didn’t hear or pick up the first time.

No surprises, it’s a scam - https://www.scamwatch.gov.au/news/telephone-calls-alleging-fake-arrest-warrants-used-to-scam-money

Interesting that they are calling my mobile – usually I get the “hello sir, your computer is sending us errors, would you like us to fix it” scams just on the home phone.

DMARC and SPF updates

2012-12-12T19:08:00.001+10:30

A while back I added a DMARC entry in DNS for my @gardiner.net.au domain. The existence of this entry then means I get daily email reports which include data from a number of email servers (eg. Google, Yahoo) about emails received from my domain and whether they were regarded as legitimate or spam. I don't receive copies of the emails themselves – just a summary of how many emails the destination site thought were legitimate and how many were rejected because they thought they were spam.

Microsoft have just announced that they too are now sending DMARC reports, so this prompted me to review my current SPF and DMARC settings to ensure that they're working properly.

The trouble with the DMARC reports are that they come via email with an attached zipped .XML file, which means you can't just view them... you have to download them, unzip them, then open it in IE (or Notepad), and scan through the XML to try and make sense of it. Wouldn't it be nice if there was a tool or service that summarised this for you?

Well it turns out there are some. I've decided try try two out - http://dmarcian.com and DMARC Analyzer.

Both of these services allow you to upload existing DMARC reports or set up email forwarding to automatically send the reports directly. You can then log in and view a summary.

I uploaded the data from the last 7 days. Here's some examples of the kind of report you get from each service:

dmarcian.com

The details for data from the 9th of December:

GARDINER.NET.AU - 3 msgs, 3 IPs
SPF-Authorized Servers - 2 groups , 2 msgs, 2 IPs, 100% auth'd
Other Servers - 1 group , 1 msg, 1 IP, 0% auth'd
65.54.190.25 (bay0-omc1-s14.bay0.hotmail.com), 1 msg, 0% auth'd
- 1 msg, disposition: None (monitor only) [none], DMARC-DKIM: fail (raw: none, d=none), DMARC-SPF: fail (raw: pass, dom: hotmail.com)

DMARC Analyzer

I was curious that both of them flagged a potential problem with an email. Sometimes this can be because it is actually spam – an email sent from an address that was not part of the authorised sender list as defined in the SPF record. But in this case, the error indicated that the email did come from a legitimate source.

Next step to confirm that my SPF record is correct. A quick trip to the SPF Record Testing Tools confirmed that yes, my SPF record was in effect, but that there was also an error message I hadn't noticed previously:

PermError SPF Permanent Error: Too many DNS lookups

So it turns out that there are limits on how many DNS lookups are allowed for SPF records. 10 to be precise.

My old SFP record was:

v=spf1 a mx ip4:203.59.1.0/24 include:aspmx.googlemail.com include:hotmail.com include:gmail.com include:live.com -all

It does looks like there's some redundancy there with two similar includes covering GMail and another two for Hotmail/Live. Simplifying things down (and hopefully not losing any accuracy) I've changed the record to this:

v=spf1 a mx ip4:203.59.1.0/24 include:hotmail.com include:_spf.google.com ~all

This now passes validation. Note that I've reverted back to ~all (a 'Soft' fail which means that recipients won't outright reject emails if there is a problem with the new rule). I'll switch back to -all (a 'hard' fail) after a week or two once I'm happy that nothing is broken!

I'll also be interested to see if the DMARC reports contain passing results for the hotmail emails.

Threat Analysis & Modeling v2.0

2006-07-07T09:34:00.000+09:30

The final release of version 2.0 is now out

Using Annotations to Reduce C/C++ Code Defects

2006-05-22T09:53:00.000+09:30

Michael Howard blogs about using the Standard Annotation Language to improve static code analysis and find more bugs (including security bugs) in your C and C++ source code. I've filed a bug to see if these annotations can be added to the Mozilla source code.

Threat Analysis & Modeling v2.0

2006-03-10T16:07:00.000+10:30

As seen at the recent Adelaide Security seminar, here is the latest threat modelling tool from Microsoft.